Snyk Monitor is often misunderstood as just a reporting tool, but its core function is to maintain a live, continuously updated inventory of your application’s dependencies and their vulnerabilities, acting as a persistent security baseline.
Let’s see Snyk Monitor in action. Imagine you’ve got a Node.js project.
First, you’ll need to install the Snyk CLI and authenticate:
npm install -g snyk
snyk auth
Now, let’s monitor your project. This command tells Snyk to start tracking your project’s dependencies and to alert you about new vulnerabilities as they emerge. It doesn’t just scan once; it sets up a continuous feedback loop.
snyk monitor --file=package-lock.json
After running snyk monitor, Snyk registers your project in its cloud platform. You can then navigate to your Snyk project dashboard online to see a detailed view of your dependencies, their licenses, and any known vulnerabilities. The real power here is that Snyk will re-evaluate your dependencies against its vulnerability database periodically and whenever you update your dependencies locally and run snyk monitor again.
Contrast this with snyk test.
snyk test --file=package-lock.json
snyk test is a point-in-time scan. It checks your current project dependencies against Snyk’s vulnerability database at that exact moment and reports any findings. It’s like taking a snapshot. It’s excellent for immediate feedback during development or in CI/CD pipelines to catch issues before they get merged.
Here’s a typical CI/CD integration using snyk test:
# Example GitHub Actions workflow snippet
name: Snyk Security Scan
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install dependencies
run: npm install
- name: Run Snyk test
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: test
args: --file=package-lock.json --severity-threshold=high # fail build on high severity vulns
The core problem Snyk addresses is the sheer complexity and constant evolution of open-source component vulnerabilities. Developers often have little visibility into the transitive dependencies they’re pulling in, and new vulnerabilities are discovered daily. snyk test provides immediate feedback on the current state, while snyk monitor provides ongoing assurance and proactive alerting.
When you run snyk monitor, it uploads a snapshot of your dependency tree to Snyk. This snapshot includes versions of all direct and transitive dependencies. Snyk then continuously compares this snapshot against its vulnerability database. If a new vulnerability affecting any of your dependencies is disclosed, Snyk will generate an alert for that specific project. The key differentiator is the persistence and alerting based on newly discovered issues, not just the current state.
The real power of snyk monitor is its ability to detect vulnerabilities that were not present or known when you last ran snyk test. For instance, a critical vulnerability might be disclosed in a library your application uses, but you haven’t made any code changes or dependency updates. snyk monitor will detect this new vulnerability associated with your project’s tracked dependency tree and notify you, even if you haven’t run snyk test since the vulnerability was published. This is crucial for maintaining a secure posture for deployed applications without constant manual re-scans.
If you’re using snyk monitor and then later run snyk test in your CI pipeline, snyk test will report on the current state of your dependencies. If a vulnerability was introduced by a dependency update between snyk monitor runs, snyk test would catch it immediately in the CI pipeline. snyk monitor would then also alert you from its continuous monitoring perspective, providing a layered defense.
The most overlooked aspect of snyk monitor is its capacity to track license compliance over time. Beyond security vulnerabilities, snyk monitor also flags dependencies that introduce license issues, such as copyleft licenses that might conflict with your proprietary code. This ongoing license monitoring is invaluable for legal and compliance teams who need assurance that the open-source components used do not pose a legal risk.
The next step after ensuring your projects are monitored is to integrate Snyk’s capabilities into your development workflow to proactively fix issues identified by either test or monitor.